I have the diagram below:
Server A -> A Firewall -> Router A <-> Router B <- B Firewall <- Server B
I am trying to do crypto map between Router A and B. There is NATed being done at both the firewall end.
Server A: 192.168.5.11
NATed at Firewall to 220.127.116.11
Server B: 172.16.16.11
NATed at Firewall to 18.104.22.168
I have done a permit access -list for 22.214.171.124 and 126.96.36.199 for the crypto map configuration.
But my question is whether i need to open any ports at the firewall end?
Currently the crypto not able to up.
At the risk of making your headache worse :)
Phase 1 of your IPSEC is working fine.
The key bit out of your error file is
local_proxy= 172.26.128.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.23.184.0/255.255.255.0/0/0 (type=4),
Jan 9 08:32:45.649 GMT: IPSEC(validate_transform_proposal): proxy identities not supported
This is telling you that the routers disagree between what the local and remote networks are.
As you are Natting your servers to 203.x.x.x addressing these should not be the local and remote subnets.
Can you recheck your crypto map access-list and if still not clear post your router configs.